This insight highlights why it is crucial for organizations to re-evaluate their Internal Audit and SOX programs to ensure better governance and performance. Also, talks about how they can upgrade their programs to enhance risk coverage and support organizational growth.
As organizations step up for high growth by launching new businesses, products, and services, and expand into newer geographies, they also need to upgrade their internal audit and SOX compliance programs to enhance risk coverage, ensure better governance and business performance at lower costs. With increasing scrutiny and expectations from external auditors, cost, and effort, organizations need to reexamine their current internal audit and internal control management programs to see if it is scalable to support organization’s growth and changing risk profile.
Organizations are seeing a huge impact on the overall cost of compliance programs, money paid to external auditors, time spent by internal teams and the effectiveness of the program itself due to the lack of a structured approach, decentralized internal controls function and not using the right technology and tools. Organizations that have automated their manual processes and controls have matured their SOX compliance and Internal Audit programs and have been able to drive continuous improvement of business processes, and financial growth as well.
According to the 2016 Sarbanes-Oxley Compliance Survey by Protiviti, the estimated internal cost (excluding external audit-related fees) for an organization is an average of $1.1 million and the hours spent on SOX compliance has increased by more than 10% compared to 2015. On an average organizations had 50 entity level controls and 96 process level controls, out of which 45 - 50% are classified as key controls. For each key control, organizations spent more than 42 hours including testing or re-testing for control operating effectiveness, testing management review controls, testing data produced by the entity to execute key controls, creating and updating control documentation, and evaluating and remediating control design. As the number of hours devoted to SOX compliance increases so does the cost.
Here are some of the focus areas or practices, companies are following now to improve the process effectiveness:
Also, with increasing cyber security incidents, organizations are planning to have a relook at their IT controls, and decide on regular assessment and testing, disclosure and reporting mechanism
Internal auditors play an important role in helping organizations ensure effective compliance, manage existing and emerging risks, and improve business performance by providing timely, valuable, and meaningful risk insights. However, the board and executive management are asking internal auditors to do more and solidify their role as strategic partners.
According to a 2016 PwC’s study “State of the Internal Audit Profession,” about 62% of stakeholders expect more value from internal auditors, including half of those who already reported experiencing significant value.
In most organizations, internal auditors play a significant role in implementing SOX and studies have proved that organizations derive significant benefits when auditors contribute to the SOX program.
In its survey, Protiviti quoted organization as saying that their audit committee has primary responsibility for SOX compliance and this increased from 11 percent in 2013 to 35 percent in 2016.
Convergence with the internal audit function can be facilitated by including internal audit in all key management committees, requiring and enforcing timely management responses and action plans for all significant internal audit findings and creating a reporting hierarchy and culture whereby internal audit can present potential contentious issues without hesitation. Internal audit can provide internal controls and COSO training to management and serve as a subject matter expert for the organization.